Contributed by SupplierPlus, ITFA Member Institution
The Tallinn SCF Summit 2023, organised by SupplierPlus and ITFA on 8-9 February, brought together corporates, banks, fintechs, and policymakers from Central and Eastern European countries to discuss developments in supply chain finance.
The capital of Estonia provided a great platform for these discussions as 99.8% of all bank transactions are authenticated by national and private eIDs, and the state is proactively improving the business environment to exchange data, ensure compliance, and provide financing in or near real-time.
Three high-level take-aways from the event:
See below for more content from the Tallinn SCF Summit 2023:
Video recordings from the Tallinn SCF Summit 2023
Session transcript: How are eIDs, APIs, and AI changing compliance in trade and supply chain finance?
The esteemed members of panel where:
Where is the most potential right now to develop the eID sector?
“Naturally, it’s an evolving sector, “said Rei from eID Easy, continuing, “eIDs aren’t new but over the last couple of years, especially during the pandemic, governments worldwide woke up to the need to give people a need to log into e.g. tax systems. Ensuring people could do that securely became very apparent, as the question of legitimacy for document signatures still matters.
“Within EU legislation, you have levels of credibility assurance that you’re dealing with the right person/entity. The current talk (and I actually think it passed an EU parliament vote already) is to stick to the level of assurance “high” instead of insisting on the “substantial” level in eIDAS2.
“Moving away from the ‘simple’, into ‘proper’ digital signatures, we’re into levels like ‘qualified digital signature’ as part of the KYC process. By using QTSPs and Qualified Electronic Signature (QES), you outsource some of the liability of verifying the identity of the person signing the document to the QTSP,” concluded Rei.
Edwards raised the concern within fintech that moving too quickly risks breaking the whole system. “Countries like the UK & Sweden still don’t trust QESs. We like things to move quickly so, when talking about trading, you don’t have time to go to a QTSP to qualify a signature. Increasing emphasis is placed on QTSPs to provide both trust and proof! This idea of having government-approved providers is very strong, certainly in the EU. However, the need to move quickly needs to be tempered with the risk of breaking it.”
Rei responded, “Once you establish QES as part of the infrastructure, it actually lowers costs and opens the door for more case studies. The tension you mention will remain for some time, as compatibility requires some sacrifice; either quality to get people on board, or insistence on purity, i.e. legislating to get people on board. That unresolved tension needs addressing, of course. Many countries are on this journey and it’s only going to increase.”
Estonian government easing the burden of KYC
Edwards asked Osanik about how his government is supporting the process of investing upfront to satisfy the requirements of QES and ease the burden of KYC that still exists for many.
Osanik replied, “One thing we lack is the common technical data standards between countries that limit communication, which remains a big issue. The EU is making this a priority, yet Estonia is already far ahead on this path. We’re doing something differently to the rest.
“We’ve managed to build trust with the population in stages over the years. Other countries need proven examples of such systems working before they’ll say, “Okay, let’s try that!” The problems of unified approaches between e.g. EU and non-EU nations still exist.
Cross-border cooperation still requires huge amounts of labour hours as a result of the non-adoption of common standards.
Technology driving swifter KYC for more efficient transactions
Edwards invited Ablhad to offer his perspective, given Dun & Bradstreet’s position of sitting between the two realities, as a provider of some of these services to clients who need them. “What’s the landscape looking like for you and where are the current opportunities?”
“Yes, we provide various forms of digital identity and look to assist particularly in supplier onboarding using this new form of technology. KYC could still, in extreme cases, take up to 3 months before we had sufficient data to support onboardings. With the advent of correct electronic identity resolution, we’re reducing that time significantly.
“For example, nowadays for some Swedish or Estonian companies, KYC can take literally minutes, not months. However, if you’re choosing the route of eID-driven KYC/AML protocols (and it’s currently not universally obligatory to do so), this still depends on verifying authorised signatories – and the creation of the relevant APIs is speeding this particular process up.
“We’re in a much better tech phase now; we have very strong source data (provided via D&B) and a reliable identity solution. So, our customers, i.e. company owners or principal representatives thereof, only then need their customers to use the relevant apps and all parties experience a swifter KYC process, thus accelerating transactions,” explained Ablhad.
Digital identities from the legal perspective
It is well-known already that trust in digital identity solutions is high, with 99% of all government services being made available 24/7 with secure access via eID entry. Edwards asked Pent for her view on the legal perspective as to why digital IDs can remain problematic for some though.
“It’s easy for Estonian companies to rely on digital ID services, but an element of risk does still remain. It’s up to institutions to determine which types of IDs are sufficient, yet regulators might be the ones ultimately deciding. So, many obligated entities don’t find out until after the event if something is insufficient, that is unless the state levels the scales and makes it clearer for all.” she replied.
Rei’s view, from inside the eID sector, takes that idea further. “Of course, the EU is doing well at providing a QTSP framework, but PTSPs are also in play and there’s a lot of work going on to meet the trust requirements and close the gap.
“Trust is fundamental, especially when doing business across the world! If I do a multi million euro deal with a Swedish company, I could do that with a handshake. With a Danish company, maybe I need a signature, but still we know each other reasonably well. The further afield we go though, there might be a reduction in trust. I need it to be legally binding, that the identity is assured and that the digital signature is valid. I need a QES for that.
“When doing SCF over the world, this is where the trust element exists and the need for legal frameworks supports the network. The adoption curve for this is picking up though, with more TSPs than last year thanks to the increased pick-up rate of the existing ones, offering increased usability, improving onboarding, etc.
“Suddenly governments realise the importance and relevance of eIDs and QESs. Now the market is maturing beyond the idea of a signature on a PDF and more embracing the digital solutions available,” said Rei.
Edwards, steering back to known issues of scepticism, pointed out that, “UK people say, “We just want ‘simple’!” The idea of trust is increasing and last year’s question of ‘trust v proof’ still applies today, where ‘proof = legal’ but trust remains a different matter. Trust is more than proof. Kirsti – should we legislate and make a safe harbour on a government level, i.e. “It’s enough if you use this for KYC”? Regulators don’t appear to agree.”
Pent replied, “It would be easier, yes, if the rules were clear! But we’re moving away from that. The last AML forum I attended took more of a risk-based approach that would give companies more flexibility. Now we’re in a situation where the need to max out risk-mitigation to create safety exists. But if we could establish a minimum standard, that would be a good start.”
The role of legislation in compliance
Continuing the theme of legislation in compliance, the panel then considered this question of what defines ‘enough’ is. Should governments legislate and give a clear requirement, “If you do this, that’s enough – you’ve complied with law – no more liability!” or do we need more flexibility?”
Ablhad’s view was that more flexibility is
definitely needed. “Risk-appetite is still high in the landscape. You have to
take this into consideration when establishing your guidelines. It would be
almost too easy for the law to say it has to be this way.”
Osanik agreed. “What we’re doing in Estonia is to take the standardised route. Collated data on the government level at least guarantees quality levels that can be trusted. Put this into a receivable format, some kind of dataset, that at least makes the same data available and keeps databases pure. Repeated data collections generate the risk of human data entry error.
“So, when I’m sharing my personal data, it’s mine, not the state’s: I should have access to it, the state should provide that access. Making it accessible in a logical, risk-assessed manner, you can decide if the processes are different for checking a person’s background.
“Companies are spending huge amounts. KYC alone in Estonia is costing €40m per annum. Scale that up in the EU! The main proportion of that is manual data collection. Imagine if the data were more easily available and machine readable. Imagine the reduction of that cost!”
Rei’s response emphasises how data ownership is crucial: “Think GDPR. Some nations have more sensitive approaches to personal data than others. We need to clarify what permissions exist for various entities to access certain info; as Särav pointed out, only certain agencies should see certain data: permissions-based access via APIs will determine effectiveness there.”
Legal authority behind verified digital signatures
AUDIENCE:
A question from the audience addressed the subtle distinction between proof of identity and proof of signature. “When onboarding a client,
individual and corporate levels, it’s sometimes a struggle to see how
transactions can guarantee retention of legitimacy.”
Pent replied, “In Estonia, it’s so easy, because of visibility, e.g. in the business register. But that’s not repeated in other countries of course. Due diligence still applies.”
“According to law, you can even send a power of attorney just by sending an email or sms – a valid proof of signatory authority which can be shared and reused – I think we’re unique on that.” pointed out Osanik, referring again to Estonia’s successful example of digital X-Road.
“The question of how to establish authority is a vital one. Cross checks between company authorities to ensure that ‘Person A’ has the authority to sign do exist but they’re not universal. More adoption of tech to drive this is required when it comes to cross-border trade,” said Rei.
“For example, if you are conducting a multi-million euro deal and have an extensive due diligence process in place, you already know the right person who needs to sign the documents at the other end. Initiatives do exist in some Nordic countries to tie into business registries and find out if someone has the legal authority to sign documents on behalf of a company.
“As for APIs, interoperability is key but it needs citizens and companies to drive the demand, wallets, etc. will have increasing influence. API ensures the data can communicate with other systems; it’s not a difference in approach per se. The wallet is more of the end usability, they’ll be adopted and will play a big role.
Once Apple persuades a couple of countries in the EU to get on board, there will be a domino effect: users will see the benefits, adoption will grow, and then other countries will get on board.”
API effectiveness as a case study
Adding to the overall understanding of legal authority, Ablhad said, “KYC/AML-related APIs have been active in preventing sanctions-busting. One of the APIs we provide, integrated into e.g. a client’s billing systems, can flag when ‘Company A’ has bought something from ‘Company B’ When it comes to payment, the API raises a flag, which helps prevent ‘Company A’ from making payment to ‘Company B’, who could potentially be on a sanctions list.
“In one specific such case, a client’s payment was blocked overnight as it related to a potential sanctions hit. In the current climate, this is not only a regulatory concern but also a reputational one. Paying that supplier represented a potential risk and our API caught it, demonstrating a key benefit of automation of KYC processes. This automation reflects prevention, rather than cure – potentially stopping the problem before it’s been caused.”
“The API spoke to a programme without the need for human re-screening, alerting ‘Company A’ to initiate an investigation which resulted in the payment being blocked, thus saving potentially them from receiving regulator penalty and possible media exposure. It’s hard to put a price on that.Clearly we’re not able to identify either party but it represents a useful case study nonetheless,” reassured Ahlbad.
Leveraging digital KYC solutions to reduce costs
Audience – KYC alone is costing Estonian businesses c€40m per annum, even with the systems we have, but are not yet fully machine-readable solutions. When machine-readable solutions roll out fully, how much do you anticipate that 40m figure for KYC to drop? And how might that scale across the EU?
Osanik’s big idea relates to international cooperation, e.g. between Singapore and the Nordic states. “I want to show that what we’re building will increase automation. If you trust the state and the data, it can scale; register data is machine-readable but not issued in machine-readable formats. But once you make it available, to help companies build new KYC/AML, of course costs will reduce. The EU alone is a multi-billion euro digital data industry.”
The truth is that nobody knows right now how much can be saved by adopting today’s digital identity and signature solutions, yet it’s clear to Osanik that continued investment in technology that supports business’ responsibility in KYC/AML will significantly reduce workload – and when you know how many work days you’re saving, you can calculate on that principle and scale up!
“95% of KYC-compliance-obligated companies are not complying, either properly or at all. If you look at regulation data, you see the kind of companies who are on that list; real estate agencies, for example, have improved, following action by the Financial Investigation Unit, who concluded that almost all real estate companies don’t follow KYC obligations fully. So, even when obligated companies start their KYC, the question is if they’re doing so partially or fully,” explained Osanik.
“Smaller auditors/bookkeepers with many clients don’t appear to comply fully, yet the law demands regulatory compliance regardless of how well you think you know your customer! Whether you are the President or a contractor, the KYC check should be done equally.. If you give access to the data and can see that this person is no risk, or, as a non-resident, is a higher risk, then you reduce your workload from 80% to 20% – the data then does the work for you.
“The state won’t take the responsibility to do the check, but it could indicate to you the check needs to be done. You have the info you need to make an informed decision, thus increasing compliance! Money laundering risk is therefore reduced, as the corruptor will be caught in the check and the question of where the money came from can be asked. We don’t want control, we want systems that protect the marketplace with an equal set of rules,” Osanik concluded.
And that concluded the discussion, with clarity that there is some way to go before technological solutions can prove and provide their worth, while recognising that digitalisation is already having a profound effect on optimising processes and reducing risks in compliance.
Privacy Policy | Cookie Policy
Designed and produced by dna.studio